Atlassian hacked – passwords may have been compromised

Atlassian, the developer of leading software development and collaboration tools, has informed all customers that late on Sunday Night, US PST, a security breach was identified that may have placed some password information at risk.

The company, which has over 17,000 customers around the world including industry heavyweights like NASA, Cisco, Nike and Boeing, recently won Best Enterprise Startup and Most Likely To Change The World at the The Next Web Australia Awards . It was also named Runner Up in the best enterprise app category of this year’s TechCrunch “Crunchie” Awards beating out solutions from Microsoft, Salesforce and Amazon.

In the early hours of this morning, Sydney Time, the company’s Head of IT, Glenn Butcher, sent an email out to customers saying they had “experienced a security breach” and that they suspected that “customer account password details may have been compromised”.

The breach only affects those customers who purchased Atlassian products prior to July 2008 haven’t changed their passwords since, though no user accounts on hosted or behind the firewall installs of Atlassian’s products are at risk.

The target of the breach, according to Atlassian co-founder Mike Cannon-Brookes was an old customer database, with passwords stored in plain text, that wasn’t deleted when the company migrated customer accounts to their own secure ‘Crowd’ system.

Atlassian is recommending that any customers who believe they may be at risk immediately change their passwords.

So, all in all, it looks like it’s been a bad day for the Atlassian team, I mean, passwords should never have been held in plain text in the first place, the database should have been deleted once the migration was successfully completed and that sloppiness has caught up with them years down the track.

It’s not all bad news though.

The way Atlassian has handled this breach is a perfect example of their own “Open Company, No Bullsh*t” motto.

As soon as they became aware of the breach they did everything they could to not only spread the word but to explain clearly what had happened and admit fault for the situation.

To quote Cannon-Brookes “we dropped the ball and screwed up.”

Still Atlassian is a young company, one that has grown rapidly to be doing $40/50 Million a year in revenue and one that continues to learn as it competes with some of the largest software companies in the world.

The breach, while serious, was fortunate in that no customer financial information or SaaS user information was compromised. What’s more it still seems unclear as to whether or not any password information was actually taken. All we know for now is that it potentially was.

The most important thing for me (as a customer of Atlassian) is that I believe that I can still trust the team to do the right thing. Shit happens. People stuff up. There are few excuses when putting people’s private information at risk, but it happens to the biggest and best and how a company deals with the situation often says much more about them than the fact they were breached in the first place.

Here’s hoping that the Atlassian team have learnt a very valuable lesson and make sure that the risk of this happening again is miniscule.

More information will be published in the near future on the company’s blog.